Let's start with a brief introduction:
What is penetration testing?
A penetration test is a security practice to evaluate and exploit vulnerabilities in a computer system where a penetration tester performs simulated attacks with the help of various tools and techniques. The purpose of such attacks is to find the loopholes in the security defenses and provide remediation guidance to eradicate those weaknesses in the system before the attacker would take advantage of those.
Types of penetration testing:
Black Box: In this type of testing, the Pentesters do not have any knowledge of the internal structures or workings of the system being attacked. This is a typical scenario where Pentesters behave as actual attackers, and they try to break into the system with the help of their analysis, evaluations, and techniques.
Gray Box: In this type of testing, the Pentesters are provided with limited information such as login credentials and some information about the target's internal data structures, code, and algorithms.
White Box: In this type of testing, the Pentesters are provided full access to source code, architecture documentation, internal structures, or workings of the system i.e. they have everything that they need. Hence, this approach of testing provides the highest level of assurance in the least amount of time.
Penetration Testing Life Cycle:
Penetration Testing is broadly classified into 6 phases:-
Pre-Engagement Interactions
Intelligence Gathering
Threat Modeling
Vulnerability Identification
Exploitation
Post Exploitation
Reporting
Penetration Testing Offerings:
Web Application & Services
Network Security
Mobile (Android & IOS)
Cloud Security
Source Code Review
Red & Blue Team
How to start a career as a Penetration Tester?
What and Who is a Penetration Tester?
Everything is getting digitalized and day by day you can observe the changes done to the technology. Now, the biggest question is "Are these secured?". People may have doubt and hesitation in using online stuff and they become more defensive when it's related to financial transactions. However, it's still getting popularity among the people, and they are happy with their experiences.
Why is this safe?
This is where Security Penetration Testers come in. Pentester (commonly known as an ethical hacker) is an authorized guy to penetrate the system's security and perform simulated attacks with the help of various tools and techniques. Simply, their job is to act like actual attackers, find loopholes in the system's security and report them to the concerned authority or organization.
However, "Pentester" or "Ethical Hacker" is not always listed as a job title. Here are some common job titles that may involve pentesting responsibilities:
Security Analyst
Security Engineer
Security Consultant
Types of Hackers:
This is a short coverage, particularly for the movie fans who may have heard these words in the movies.
White Hat Hackers - Ethical hackers (aka pentesters).
Gray Hat Hackers - Gray hats fall into a fuzzy area. Their intent is not always malicious, but it is not always ethical either.
Black Hat Hackers - Their intent and purpose are illegal. Cyber-criminals fall into this category.
Required skills to become a Penetration Tester:
Pentesters need a solid understanding of information technology (IT), platforms, and security systems to evaluate and exploit vulnerabilities in a computer system. Hence, they should have the following traits:
Programming languages, especially (Python, JavaScript)
Operating Systems (Linux, Windows, macOS environments)
Security assessment tools (Burp Suite, Nmap, Nessus, Kali Linux)
Computer Networks
Design and Architectural knowledge
Coding knowledge (It's an add-on)
This is good enough to get started, and once you will cover this much, you will be able to explore more.
Penetration Tester Formula:
Knowledge(Technology + Hacking) + Attacker Mindset = Penetration Tester
Apart from the knowledge, you must always think one step ahead of the attackers to become a successful Penetration Tester.
Penetration Testing Courses:
Training Companies:
SANS Institute (www.sans.org)
Mile2 (mile2.com)
Online Training Companies:
SANS Institute (www.sans.org)
eLearn Security (www.elearnsecurity.com)
Pentester Academy (www.pentesteracademy.com)
PentesterLab (pentesterlab.com)
Penetration Testing Books:
Penetration Testing: A Hands-on Introduction to Hacking (Georgia Weidman)
Penetration Testing for Dummies (Robert Shimonski)
Penetration Testing Essentials (Sean-Phillip Oriyano)
Penetration Testing: Security Analysis (EC-Council Press)
Advanced Penetration Testing: Hacking the World’s Most Secure Networks (Wil Allsopp)
Penetration Testing Labs:
PentesterLab (https://pentesterlab.com)
Try Hack Me (https://tryhackme.com)
Hack The Box (https://www.hackthebox.eu)
Attack-Defense (https://attackdefense.com)
Vulnhub (https://www.vulnhub.com)
PortSwigger (https://portswigger.net/web-security/all-labs)
Penetration Testing Certifications:
You can enroll in different security courses online or offline and after the completion of the course. You can take respective certification exams to become a certified matter expert.
Entry-Level Certifications:
Certified Ethical Hacker (CEH)
PenTest+
eLearn Security Junior Penetration Tester (eJPT)
Intermediate-Level Certifications:
Offensive Security Certified Professional (OSCP)
GIAC Penetration Tester (GPEN)
Advanced-Level Certification:
Offensive Security Certified Expert (OSCE)
GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
Now, comes the best part which everyone wanted after this much learning is - "Earnings". If you have completed the required prerequisites for the job, then I am sure that you are already aware that how and from where you can earn? If not, then this is for you.
Where to get a job as a Penetration Tester:
You don't have to worry about the job as almost every organization requires a Security Consultant or a Pentester to make their system security robust. However, I am still writing some of the organizations for your reference:
Synopsys Inc.
Microsoft Cybersecurity Protection
Akamai Technologies Services
VMware Professional Services
Sophos Professional Services
Cisco Security Services
SAINT Security Suite
RSA
IBM Security
Amazon Macie
Salary Insight:
Finally, we have come where you wanted us to be. As we know that salary always depends on the skill set, experience, and more significantly what you can bring to your organization.
As per the Payscale.com reports, Penetration Testers are making from about $55,000 to about $133,000 per annum, with an average annual salary of $82,500. Bonuses, commissions, and profit-sharing add, on average, about $17,000 annually.
Conclusion:
Through this blog, We have tried to explain the required things to get start your carrier as a Penetration Tester.
Thank you, for reading this article.
Please follow us!
We respect your knowledge and ideas. Please feel free to contact us at securesect@outlook.com, Our team stands ready to make corrections and enhancements.
Vishal Gaur
@Security Researcher and Consultant
References:
The Pentester BluePrint: Starting a Career as an Ethical Hacker (Phillip L. Wylie and Kim Crawley)
https://www.payscale.com/research/US/Job=Penetration_Tester/Salary
https://www.synopsys.com/glossary/what-is-penetration-testing.html
https://resources.infosecinstitute.com/topic/what-are-black-box-grey-box-and-white-box-penetration-testing/
https://www.g2.com/categories/security-and-privacy-services
https://portswigger.net/
https://github.com/michelbernardods/labs-pentest
https://www.coursera.org/aticles/how-to-become-a-penetration-tester
https://owasp.org/
Comments